Upgrading Domain Controllers

Jimmy 41 Reputation points
2020-09-24T06:51:30.83+00:00

Hi,

We're looking at upgrading most of our DCs which consists of both datacenter and remote sites DCs. We are looking to go from Windows 2008 R2, 2012 R2 to 2019. There are already a few 2016 DCs which were recently built for some remote sites.

DNS are installed on all DCs. FSMO roles are on a primary DC in datacenter as well as KMS, etc. Nothing fancy.

I'm putting together a high and low level design for my manager before we agree on the works. Please kindly advise your thoughts on the below.

Local Sites:

  • Build new Win2019 VM with the same host name (must) and IP (preferred) and leave it off the domain
  • Demote DC and turn off the VM
  • Spin up new DC, join it onto the domain and install all necessary roles. Promote it to a DC and ensure everything is ok
  • Repeat this for other local sites
  • Will also be enabling clients to locate the next closest DC in GPO as this isn't enabled
  • Workstations are configured to use local DC as primary DNS and DC3 in datacenter fo secondary DNS

Datacenter:

We currently have 4 DCs and looking to reduce this down to 2. DC2 currently holds FSMO roles.

  • All servers within datacenter are configured to use DC3 as primary DNS and DC4 as secondary DNS
  • Build new VM with the same name as DC1. Demote existing DC1 and shut it down
  • Join new VM (DC1) onto the domain and promote it to a DC
  • Move FSMO roles from DC2 to new DC1
  • Reconfigure all datacenter servers to use DC1 (will have new IP) as primary DNS and leave secondary DNS as is
  • Build new VM with the same name as DC2. Demote existing DC2 and shut it down
  • Join new VM (DC2) onto the domain and promote it to a DC
  • Reconfigure secondary DNS on all servers to point to DC2
  • Demote DC3 and DC4 and decommission
  • Raise domain functional level from 2008 R2 to 2016. Don't think we can go to 2019 as we already have 2016 DCs?

If everything is configured properly, is there an expected outage during any of the above steps? I understand that moving FSMO roles or decommissioning DCs should take things like NTP configured on PDC emulator or any specific services configured to a particular DC into considerations, etc.

Is anything else missing from the above or do steps need to be re-ordered?

Thanks in advance,
James.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,431 questions
0 comments
Accepted answer
  1. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2020-09-24T08:51:19.88+00:00

    Hello @Jimmy ,

    Thank you for posting here.

    Based on the description, I think the steps above should be OK.

    Meanwhile, here are some additional information we can consider:

    First

    After we ensure forest function level is 2008 and SYSVOL replication is DFSR replication type, we can add one Windows server 2019 to the existing domain and promote is as a domain controller.

    From the link below, we can see:

    Windows Server 2019
    There are no new forest or domain functional levels added in this release.

    The minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.

    Forest and Domain Functional Levels
    https://video2.skills-academy.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

    Second
    Before we do any change in the existing AD domain environment, we had better do:

    1. Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v.
      Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
    2. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    3. Check we can update gpupdate /force on each DC successfully.
    4. Back up all domain controllers if needed.
    5. We had better perform the DC migration during downtime.

    Third
    Before raise functional level, we can check

    1. Ensure that all domain functional levels are equal to or higher than the forest functional level;
    2. Ensure that the operating system level of all domain controllers is equal to or higher than the domain functional level;
    3. Make new DC as GC, too.

    Fourth
    If the old DCs is also DNS server, before we demote old DCs, we should:
    If the old DC was a DNS server, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution. If it is required, modify the DHCP scope to reflect the removal of the DNS server.
    If the old DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the old DC for name resolution.

    Fifth
    If we have installed any other roles in the old Domain Controllers, migrate all the roles if needed.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.